On Tue, Dec 10, 2019 at 08:32:17PM +0100, Heinrich Schuchardt wrote: > On 12/10/19 9:56 AM, Cristian Ciocaltea wrote: > > Add support for booting EFI binaries contained in FIT images. > > A typical usage scenario is chain-loading GRUB2 in a verified > > boot environment. > > > > Signed-off-by: Cristian Ciocaltea<cristian.ciocal...@gmail.com> > > Reading through the code it looks good. What I really need to do is > analyze the address usage on the sandbox. To me it is unclear if > images->fdt_addr is a physical address or an address in the address > space of the sandbox. > > Did you test this on the sandbox? You can use > lib/efi_loader/helloworld.efi as a binary and the 'host load hostfs' > command for loading the FIT image.
I only tested on qemu, I've never used the sandbox, so it's a good opportunity to give it a try. > Shouldn't we add booting a UEFI FIT image to the Python test in > test/py/tests/test_fit.py? Unfortunately I'm not familiar with the testing framework (including Python scripting), but I'll do my best to add such a test. > doc/uImage.FIT/signature.txt describes that several properties of the > RSA public key should be stored in the control device tree. > Unfortunately no example is supplied in which format they should be > stored. Could you send me an example, please. > > I found the following > > https://github.com/bn121rajesh/ipython-notebooks/blob/master/BehindTheScene/RSAPublicKeyParamsUBoot/rsa_public_key_params_uboot.ipynb > > Is this an accurate description? Or how do you get the parameters from > your RSA public key? My test scenario involves the following steps: 1. Create a public/private key pair $ openssl genpkey -algorithm RSA -out ${DEV_KEY} \ -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 2. Create a certificate containing the public key $ openssl req -batch -new -x509 -key ${DEV_KEY} -out ${DEV_CRT} 3. Dump QEMU virt board DTB $ qemu-system-arm -nographic -M virt,dumpdtb=${BOARD_DTB} \ -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin [...] 4. Create (unsigned) FIT image and put the public key into DTB, with the 'required' property set, telling U-Boot that this key MUST be verified for the image to be valid $ mkimage -f ${FIT_ITS} -K ${BOARD_DTB} -k ${KEYS_DIR} -r ${FIT_IMG} 5. Sign the FIT image $ fit_check_sign -f ${FIT_IMG} -k ${BOARD_DTB} 6. Run QEMU supplying the DTB containing the public key and the u-boot binary built with CONFIG_OF_BOARD $ qemu-system-arm -nographic \ -M virt -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin \ -dtb ${BOARD_DTB} [...] This is what I get after booting QEMU with the command above: => fdt addr $fdtcontroladdr => fdt print / { [...] signature { key-dev { required = "conf"; algo = "sha256,rsa2048"; rsa,r-squared = * 0x5ef05188 [0x00000100]; rsa,modulus = * 0x5ef05294 [0x00000100]; rsa,exponent = <0x00000000 0x00010001>; rsa,n0-inverse = <0x649cd557>; rsa,num-bits = <0x00000800>; key-name-hint = "dev"; }; }; [...] > Best regards > > Heinrich